‘The Emperor Wears No Clothes’ Satye Meva Jayate

Air gap as a panacea for all cyber security threats is enough; is what our national security boffins who deal with critical networks believe or have as believe. Why they cling to this notion when all evidences point to that concept being outdated and an increasing body of evidence showing that there are many methods by which air gapped networks can be routinely compromised are a vast field of study by itself.

The ability of the human mind to fool itself has been historically recognised and stories like the ‘Emperor wears no clothes’ is meant to teach the young the vast depths of human folly where whole societies and nations can be fooled. Having bought into the fallacy that software and hardware made by foreign firms with relationship to their national security establishment could be secure if they are air gapped; it is difficult for them to accept that they were gullible. Evidences of those same nations ensuring that hardware and software from other nations are not allowed in their critical infrastructure make no impact to these fossilised minds.

Now if those companies are represented by people with whom they have formed a relationship and if post retirement sinecures are dangled and facilitated by former comrades who have thread the same path before them, pangs of doubts which occasionally crop up can easily be stifled. The junkets, sponsored seminars and more sweeten all these cosy relationships.

Now ‘ All people can’t be fooled for all time.’ and such falsehoods are eventually exposed. Indeed the chances for such perfidy happening was recognised by the founding fathers of this nation, who adopted ‘ Satye Meva Jayate’ as the national motto.

The article below is one more nail in the coffin of ‘air gapped security..

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person’s online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Cross-device tracking raises important privacy concerns, the Center for Democracy and Technology wrote in recently filed comments to the Federal Trade Commission. The FTC has scheduled a workshop on Monday to discuss the technology. Often, people use as many as five connected devices throughout a given day—a phone, computer, tablet, wearable health device, and an RFID-enabled access fob. Until now, there hasn’t been an easy way to track activity on one and tie it to another.

“As a person goes about her business, her activity on each device generates different data streams about her preferences and behavior that are siloed in these devices and services that mediate them,” CDT officials wrote. “Cross-device tracking allows marketers to combine these streams by linking them to the same individual, enhancing the granularity of what they know about that person.”

The officials said that companies with names including SilverPush, Drawbridge, and Flurry are working on ways to pair a given user to specific devices. Adobe is also developing cross-device tracking technologies, although there’s no mention of it involving inaudible sound. Without a doubt, the most concerning of the companies the CDT mentioned is San Francisco-based SilverPush.

CDT officials wrote:

Cross-device tracking can also be performed through the use of ultrasonic inaudible sound beacons. Compared to probabilistic tracking through browser fingerprinting, the use of audio beacons is a more accurate way to track users across devices. The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.

The user is unaware of the audio beacon, but if a smart device has an app on it that uses the SilverPush software development kit, the software on the app will be listening for the audio beacon and once the beacon is detected, devices are immediately recognized as being used by the same individual. SilverPush states that the company is not listening in the background to all of the noises occurring in proximity to the device. The only factor that hinders the receipt of an audio beacon by a device is distance and there is no way for the user to opt-out of this form of cross-device tracking. SilverPush’s company policy is to not “divulge the names of the apps the technology is embedded,” meaning that users have no knowledge of which apps are using this technology and no way to opt-out of this practice. As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.SilverPush’s ultrasonic cross-device tracking was publicly reported as long ago as July 2014. More recently, the company received a new round of publicity when it obtained $1.25 million in venture capital. The CDT letter appears to be the first time the privacy-invading potential of the company’s product has been discussed in detail. SilverPush officials didn’t respond to e-mail seeking comment for this article.

Cross-device tracking already in use

The CDT letter went on to cite articles reporting that cross-device tracking has been put to use by more than a dozen marketing companies. The technology, which is typically not disclosed and can’t be opted out of, makes it possible for marketers to assemble a shockingly detailed snapshot of the person being tracked.

“For example, a company could see that a user searched for sexually transmitted disease (STD) symptoms on her personal computer, looked up directions to a Planned Parenthood on her phone, visits a pharmacy, then returned to her apartment,” the letter stated. “While previously the various components of this journey would be scattered among several services, cross-device tracking allows companies to infer that the user received treatment for an STD. The combination of information across devices not only creates serious privacy concerns, but also allows for companies to make incorrect and possibly harmful assumptions about individuals.”

Use of ultrasonic sounds to track users has some resemblance to badBIOS, a piece of malware that a security researcher said used inaudible sounds to bridge air-gapped computers. No one has ever proven badBIOS exists, but the use of the high-frequency sounds to track users underscores the viability of the concept.Now that SilverPush and others are using the technology, it’s probably inevitable that it will remain in use in some form. But right now, there are no easy ways for average people to know if they’re being tracked by it and to opt out if they object. Federal officials should strongly consider changing that.

Pavithran Rajan is an alumni of the National Defence Academy and was commissioned in the Indian Army in 1992 and served till 2013. He is on the Board of Advisors at the E Raksha Research Center; Gujarat Technological University, Ahmedabad and regularly consults for numerous organisations in various State and Central Government.